pam_krb5(5) pam_krb5(5)
NAME [Toc] [Back]
pam_krb5 - authentication, account, session and password management
modules for Kerberos 5
SYNOPSIS [Toc] [Back]
/usr/lib/security/$ISA/libpam_krb5.so.1
DESCRIPTION [Toc] [Back]
The KRB5 PAM modules allow integration of Kerberos authentication into
the system entry services (such as login, ftp) using pam.conf(4)
configuration file. The Kerberos service module for PAM consists of
the following four modules: Authentication module, Account management
module, Session management module and Password management module. All
modules are supported through the same dynamically loadable library.
The KRB5 PAM modules are compatible with MIT Kerberos 5 and Microsoft
Windows 2000.
Authentication Module [Toc] [Back]
The authentication module verifies the user identity and sets the user
credentials. It passes the authentication key derived from the user's
password to the Kerberos security service. The security service uses
the authentication key to verify the user and issues a ticket-granting
ticket. The credential management function sets user specific
credentials. It stores the credentials in a cache file and exports the
environment variable KRB5CCNAME to identify the cache file. The cache
file is stored in the /tmp directory. This module creates a unique
cache file for every session. The credential cache file can be
destroyed using the Session management module.
The following options may be passed to the authentication module
through pam.conf(4):
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
krb_prompt This option allows the administrator to change the
password prompt. When set, the password prompt
displayed is, Kerberos Password
use_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the stack) to authenticate with Kerberos. If
the user cannot be authenticated or if this is the
first authentication module in the stack, quit without
prompting for a password. It is recommended that this
option be used only if the authentication module is
designated as optional in the pam.conf(4) configuration
file.
Hewlett-Packard Company - 1 - PAM-Kerberos 1.10 (September 2002)
pam_krb5(5) pam_krb5(5)
try_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the PAM stack) to authenticate with Kerberos.
If the user cannot be authenticated or if this is the
first authentication module in the stack, prompt for a
password.
forwardable This option allows a ticket-granting ticket with a
different network address than the present ticketgranting
ticket to be issued to the user. For
forwardable tickets to be granted, the user's account
in Kerberos must specify that the user can be granted
forwardable tickets.
renewable=<time>
This option allows tickets issued to the user to be
renewed. For renewable tickets to be granted, the
user's account in Kerberos must specify that the user
can be granted renewable tickets. The renewal time of
the ticket-granting ticket is specified by <time>. The
form of time is the same as the one in kinit.
proxiable This option allows a ticket with a different network
address than the present ticket to be issued to the
user. For proxiable tickets to be granted, the user's
account in Kerberos must specify that the user can be
granted proxiable tickets.
ignore Returns PAM_IGNORE. Generally this option should not
be used. But sometimes it may not be desirable or may
not be necessary to authenticate certain users (root,
ftp, ...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
Account Management Module [Toc] [Back]
The account management module provides a function to perform account
management. This function retrieves the user's account and password
expiration information from Kerberos database and verifies that they
have not expired. The module does not issue any warning if the account
or the password is about to expire.
The following options can be passed to the Account Management module
through pam.conf(4):
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
ignore Returns PAM_IGNORE. Generally this option should not
be used. But sometimes it may not be desirable or may
Hewlett-Packard Company - 2 - PAM-Kerberos 1.10 (September 2002)
pam_krb5(5) pam_krb5(5)
not be necessary to authenticate certain users (root,
ftp, ...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
Password Management Module [Toc] [Back]
The password management module provides a function to change passwords
in the Kerberos password database. Unlike when changing a Unix
password, root is always prompted for the user's old password.
The following options can be passed into the password module through
the pam.conf(4) file:
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
krb_prompt This option allows the administrator to change the
password prompt. When set, the password prompt
displayed could be, Old/New Kerberos Password
use_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the stack) to authenticate with Kerberos. If
the user cannot be authenticated or if this is the
first authentication module in the stack, quit without
prompting for a password. It is recommended that this
option be used only if the authentication module is
designated as optional in the pam.conf(4) configuration
file.
try_first_pass This option allows the initial password (entered when
the user is authenticated to the first authentication
module in the PAM stack) to authenticate with Kerberos.
If the user cannot be authenticated or if this is the
first authentication module in the stack, prompt for a
password.
ignore Returns PAM_IGNORE. Generally this option should not
be used. But sometimes it may not be desirable or may
not be necessary to authenticate certain users (root,
ftp, ...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
Session Management Module [Toc] [Back]
The session management module provides function to terminate sessions.
It cleans up the credential cache file created by the Authentication
module.
Hewlett-Packard Company - 3 - PAM-Kerberos 1.10 (September 2002)
pam_krb5(5) pam_krb5(5)
The following options can be passed into the session management module
through the pam.conf(4) file:
debug This option allows syslog(3C) debugging information at
LOG_DEBUG level.
ignore Returns PAM_IGNORE. Generally this option should not
be used. But sometimes it may not be desirable or may
not be necessary to authenticate certain users (root,
ftp, ...) with Kerberos. In such cases you can use this
option in pam_user.conf(4) for per user configuration.
It is not recommended for you to use this option in
pam.conf(4). See the examples section.
EXAMPLE [Toc] [Back]
Following is a sample configuration in which no authentication is done
with Kerberos for root ie. KRB5 PAM module does nothing. It just
returns PAM_IGNORE for user root. For every user other than root, it
will try to authenticate using Kerberos. If Kerberos succeeds, the
user is authenticated. If Kerberos fails to authenticate the user, PAM
will try to authenticate via UNIX PAM using same the password.
PAM_IGNORE for user root.
pam_user.conf:
# configuration for user root. KRB5 PAM module uses the
# ignore option and returns PAM_IGNORE
root auth /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root password /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root account /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
root session /usr/lib/security/$ISA/libpam_krb5.so.1 ignore
pam.conf:
# For per user configuration the libpam_updbe.1 (pam_updbe(5)) module
# must be the first module in the stack. If Kerberos authentication
# is valid the UNIX authentication function will not be invoked.
login auth required /usr/lib/security/$ISA/libpam_updbe.so.1
login auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
login auth required /usr/lib/security/$ISA/libpam_unix.so.1
try_first_pass
login password required /usr/lib/security/$ISA/libpam_updbe.so.1
login password required /usr/lib/security/$ISA/libpam_krb5.so.1
login password required /usr/lib/security/$ISA/libpam_unix.so.1
try_first_pass
login account required /usr/lib/security/$ISA/libpam_updbe.so.1
login account required /usr/lib/security/$ISA/libpam_krb5.so.1
Hewlett-Packard Company - 4 - PAM-Kerberos 1.10 (September 2002)
pam_krb5(5) pam_krb5(5)
login account required /usr/lib/security/$ISA/libpam_unix.so.1
login session required /usr/lib/security/$ISA/libpam_updbe.so.1
login session required /usr/lib/security/$ISA/libpam_krb5.so.1
login session required /usr/lib/security/$ISA/libpam_unix.so.1
SEE ALSO [Toc] [Back]
pam(3), pamkrbval(1), pam_authenticate(3), pam_setcred(3), syslog(3C),
pam_close_session(3), pam.conf(4), pam_user.conf(4), pam_updbe(5),
kinit, klist, kdestroy
Hewlett-Packard Company - 5 - PAM-Kerberos 1.10 (September 2002)
[ Back ] |